Download
AzureAD-Attack-Defense is a community-maintained playbook that collects common attack scenarios against Microsoft Entra ID (formerly Azure Active Directory) together with detection and mitigation guidance. The repository is organized into focused chapters — for example: Password Spray, Consent Grant, Service Principals in Azure DevOps, Entra Connect Sync Service Account, Replay of Primary Refresh Token (PRT), Entra ID Security Config Analyzer, and Adversary-in-the-Middle — each written to explain the attack, show detection approaches, and recommend mitigation steps. For each scenario the playbook describes the attack flow, maps the techniques to the MITRE ATT&CK framework, and explains how to leverage Microsoft’s security stack (Microsoft Defender XDR, Microsoft Sentinel, Azure Entra ID Connect, and Defender for Cloud) to detect and respond.
Features
- Chaptered attack/playbook structure with step-by-step attack description, detection guidance, and mitigation recommendations
- MITRE ATT&CK mapping and visual navigator layers to link scenarios to tactics and techniques
- Ready-to-deploy Microsoft Sentinel rule templates (JSON/ARM) for quick ingestion into defender workflows
- Detection guidance tied to Microsoft Defender XDR, Defender for Cloud, and Entra ID telemetry
- Appendix content for identity security monitoring and lateral movement prevention between AD and Entra ID
- Community contribution model and living-document updates so chapters are regularly reviewed and expanded
Project Samples
